Administrators: Force Secure Passwords Because Users are Lazy. This is the story of how a stolen laptop and a careless employee got me banned from my favorite pawn shop.

The Punchline

The punchline to this story is hidden in my phone call to a complete stranger:

Stranger: How do you know Bob?

Me: All I know about Bob is what I found on his laptop.

And later in the call:

Stranger (to someone in the office with him): This guy on the phone is standing outside a pawn shop in Houston and …

Loud voice in the background: OMG, he found our laptop?!

Author Note: Pawn shops are often a great place to find older camera equipment (I’m hunting for old 35mm Canon lenses for my XSI with adapter ring for artistic shots). I have the expectation that nothing for sale is stolen. This article is not about pawn shops, it’s about security. So no flames please. 🙂

While walking through the electronics section of a pawn shop, I noticed a Dell laptop in the WinXP screen-saver mode. Interested to see if it was worth the $200 price tag, I tapped the space bar for a closer look.

That’s when I met Bob.

There was no login password, dismissing the screen-saver took me right to Bob’s desktop. 2 seconds later, it was obvious something wasn’t quite right. If someone was going to sell their old laptop for a few bucks, chances are they would delete personal and company information; Bob didn’t give up this laptop voluntarily.

Sifting Through Data

Knowing that Bob would probably like to have his laptop back, I spent several minutes sifting through files looking for contact information. There was directory after directory of company financial data, historical pricing information, bid sheets (won and lost) and client contact information. Finally, in a online purchase receipt next to his credit card number, I found Bob’s company phone number.
I found enough information to contact Bob by rifling through the company’s sensitive financial information that was on public display in a resale shop

Calling Bob’s Boss

Bob didn’t answer the phone, but his boss did and was happy to get my call. He notified the police investigator working the recent office robbery and a few hours later, the pawn shop manager received a visit from two officers. After lifting some fingerprints, the nicked laptop was returned to its owners while the manager of my favorite pawn shop was out $200 bucks.

Apparently, the office robbery was perpetrated by someone looking to nab some computer equipment. But had Bob’s laptop been stolen by evil-doers from a rival company, the damage would be immeasurable. For the ripe sum of $200, anyone could have bought this company’s laundry and Bob’s credit card receipts.

Users Hate Security

When it comes to IT security policies, I’ve worked in polar extremes. At one design shop, every C:\ drive was an open share. On the other hand, when working IT litigation support for Enron, VPN was restricted to using company-provided software and our home PCs were required to have extreme password policies enabled. Logging in from home was a 5 minute, multi-step process that IT felt was warranted.

Secure systems are inconvenient for users. For the sake of efficiency, they may choose convenient passwords (or disable security entirely). Users may also prefer the same password for every system, even for their CBS Survivor fan site.

Statistics suggest as many as 600,000 to 1 million laptops are lost or stolen each year

Number of USB Keys lost or stolen yearly is impossible to calculate

Reduce Risk, Fix Bob, Bob is Lazy, Long Live Bob

System and site administrators have to design security with the expectation that users are lazy and have no concept of security. The majority of your users may be well-informed and aware of their responsibility to security. But it only takes one Bob to lose a laptop with a lousy password (if any) to put a business at severe risk.

Enact password and drive encryption policies in your organization to prevent an over-night robbery from turning into a company destroying event. This is not the job of IT managers, CEOs, CFOs or building security. It is the responsibility of system admins and developers. Your company’s data is in your hands, is it worth a $200 laptop resale?

Be a Company Hero

When a member of the sales team forgets his laptop in a taxi and his director storms in your office wanting to know the risks, you can confidently say there is no exposure. The hard drive was encrypted and the login password is impossible — the device is useless without reformatting first. Someone in the world gets a free laptop, but the company is not at risk.

As a side note, the pawnshop owner saw me standing by the laptop for several minutes. So now I can never show my face in that place again. Maybe that’s not a bad thing.

NOTE: I originally wrote this article while working for Dzone.com, August 23, 2008

Unfortunately, the comments are awash in a sea of “stuff”, such as folks making snarky replies to each other. There was even an brief argument of film vs. digital. But once the comment count reached 320, I did some data-mining. And yes, I read them all.

There’s some funny stuff here …

Several people suggested using old or discarded PCs to create RAID controllers. Using old hardware for mission critical work seems a bit risky. The film vs. digital, cloud vs. local, and various media type comments were interesting too.

Not everyone hates Drobo

So far after 4 years of Drobo ownership, I don’t hate it. It has issues (mentioned in my last post), but it does the job expected (so far).

There were plenty of “Me Too” Drobo-disaster stories among the comments. And one commenter insisted he read 70% of the replies, and there were no positive comments about Drobo. Granted, people usually don’t join a gripe fest with a heavy-hitter like Scott Kelby just to be contrary, but I read a few:

Excerpts from “I don’t hate drobo” people:

Commenter

Comment

Michael Gowin

“I’ve been using a drobo for a couple years without any issues …“

donnpr

“Based on your recommendations, I have been running a Drobo 1, 24/7 for about 4 years, no problem.“

Marcus

“I have an early 3 bay FW800 Drobo (circa 2007 I think) which is still going just fine.“

Terry White

“Luckily my 4 Drobo units have been running trouble free 24/7. … the key is to NEVER have your data in just one place. “

And there were those who didn’t buy the drama:

Commenter

Comment

Alan Hess

Alan explained how to pull the drives out of one of the other 2 Drobos to recover the files.

follomobshawn

“I’ve got to ask, why not just pay the $300 (or just $100 now) and repair the [out of warrentee] Drobo?“

Ron Feiner

“After a period of time all drives, or their interfaces, can fail.“

Michael Kummer

“… always sign-up for extended warranty.“

David

“1. Let Drobo ‘repair’ your system, regardless of the cost. 2. After they fix your system, then work with them to improve their system as it will help all of us.“

Mike

“Gee, I don’t know this is a tough one! Particularly if you are a PRIMA DONA …“

And my fav is from coldFuSion

“This is ultra hilarious! you have 3 of these, and they sound like they are backups of each other. how are the pix lost?“

Exactly what I said yesterday.

Side note: Behyer pointed out, (and I didn’t know this), that some Green drives, such as the WD Caviar Green, that spin down to save energy are known to cause problems in Drobos. That’s a pretty nice tip right there.

Ok, enough fun, where’s the real gems?

The comments were full of great suggestions for alternatives to a Drobo system. Some of them were pretty expensive, some were specifically cloud, software or hardware based. And the ones that were well-constructed offered a multi-tactic solution (hardware / cloud / offsite / etc).

Below is a list of the products and services mentioned in the post, aggregated into groups, and ordered by the number of times the product was “mentioned” in the first 320 comments.

Lots of Cloud Options

Cloud is big, and cloud storage had a fairly strong showing among Kelby’s fans.

Something went screwy. That’s the shortest explanation I can provide. To fix it, I had to run the Drupal Cron job hundreds of times until the queue drained.

Unfortunately, I wasn’t interested in sitting at my computer for hours clicking the Run Cron button. So I inserted this little hack into my page. Its an absolute total hack, and very temporary, but gets the job done.